<html>
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    <title>Chapter&nbsp;17.&nbsp;安全</title>
    <link rel="stylesheet" href="css/html.css" type="text/css">
    <meta name="generator" content="DocBook XSL Stylesheets V1.65.1">
    <link rel="home" href="index.html" title="JBoss jBPM 3.1">
    <link rel="up" href="index.html" title="JBoss jBPM 3.1">
    <link rel="previous" href="jpdl.html" title="Chapter&nbsp;16.&nbsp;jBPM Process Definition Language (JPDL)">
    <link rel="next" href="tdd.html" title="Chapter&nbsp;18.&nbsp;TDD for workflow">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<div class="navheader">
    <table width="100%" summary="Navigation header">
        <tr>
            <th colspan="3" align="center">Chapter&nbsp;17.&nbsp;安全</th>
        </tr>
        <tr>
            <td width="20%" align="left"><a accesskey="p" href="jpdl.html">Prev</a>&nbsp;</td>
            <th width="60%" align="center">&nbsp;</th>
            <td width="20%" align="right">&nbsp;<a accesskey="n" href="tdd.html">Next</a></td>
        </tr>
    </table>
    <hr>
</div>
<div class="chapter" lang="cn">
    <div class="titlepage">
        <div>
            <div><h2 class="title"><a name="security"></a>Chapter&nbsp;17.&nbsp;安全</h2></div>
        </div>
        <div></div>
    </div>
    <p>jBPM的安全特性目前仍在测试阶段。这章讲述可插拔的认证和授权机制，以及说明这个框架的哪些部分已经完成，哪些部分仍未完成。</p>

    <div class="section" lang="cn">
        <div class="titlepage">
            <div>
                <div><h2 class="title" style="clear: both"><a name="securitytodos"></a>17.1.&nbsp;Todos</h2></div>
            </div>
            <div></div>
        </div>
        <p>On the framework part, we still need to define a set of permissions
            that are verified by the jbpm engine while a process is being executed.
            Currently you can check your own permissions, but there is not yet a jbpm
            default set of permissions.</p>

        <p>Only one default authentication implementation is finished. Other
            authentication implementations are envisioned, but not yet implemented.
            Authorization is optional, and there is no authorization implementation
            yet. Also for authorization, there are a number of authorization implementations
            envisioned, but they are not yet worked out.
        </p>

        <p>But for both authentication and authorization, the framework is there
            to plug in your own authentication and authorization mechanism.</p></div>
    <div class="section" lang="cn">
        <div class="titlepage">
            <div>
                <div><h2 class="title" style="clear: both"><a name="authentication"></a>17.2.&nbsp;认证（Authentication）</h2>
                </div>
            </div>
            <div></div>
        </div>
        <p>Authentication is the process of knowing on who's behalf the code
            is running. In case of jBPM this information should be made available from the
            environment to jBPM. Cause jBPM is always executed in a specific environment like
            a webapp, an EJB, a swing application or some other environment, it is always the
            surrounding environment that should perform authentication.</p>

        <p>In a few situations, jBPM needs to know who is running the code. E.g. to add
            authentication information in the process logs to know who did what and when. Another
            example is calculation of an actor based on the current authenticated actor.</p>

        <p>In each situation where jBPM needs to know who is running the code, the
            central method <tt class="literal">org.jbpm.security.Authentication.getAuthenticatedActorId()</tt>
            is called. That method will delegate to an implementation of
            <tt class="literal">org.jbpm.security.authenticator.Authenticator</tt>. By specifying an
            implementation of the authenticator, you can configure how jBPM retrieves the currently
            authenticated actor from the environment.
        </p>

        <p>The default authenticator is
            <tt class="literal">org.jbpm.security.authenticator.JbpmDefaultAutenticator</tt>.
            That implementation will maintain a <tt class="literal">ThreadLocal</tt> stack of authenticated
            actorId's. Authenticated blocks can be marked with the methods
            <tt class="literal">JbpmDefaultAutenticator.pushAuthenticatedActorId(String)</tt> and
            <tt class="literal">JbpmDefaultAutenticator.popAuthenticatedActorId()</tt>. Be sure to always
            put these demarcations in a try-finally block. For the push and pop methods of this
            authenticator implementation, there are convenience methods supplied on the base
            Authentication class. The reason that the JbpmDefaultAutenticator maintains a stack
            of actorIds instead of just one actorId is simple: it allows the jBPM code to distinct
            between code that is executed on behalf of the user and code that is executed on behalf of
            the jbpm engine.</p>

        <p>See the javadocs for more information.</p></div>
    <div class="section" lang="cn">
        <div class="titlepage">
            <div>
                <div><h2 class="title" style="clear: both"><a name="authorization"></a>17.3.&nbsp;授权（Authorization）</h2>
                </div>
            </div>
            <div></div>
        </div>
        <p>Authorization is validating if an authenticated user is allowed to perform a
            secured operation.</p>

        <p>The jBPM engine and user code can verify if a user is allowed to perform a given
            operation with the API method <tt class="literal">org.jbpm.security.Authorization.checkPermission(Permission)</tt>.
        </p>

        <p>The Authrorization class will also delegate that call to a configurable implementation.
            The interface for pluggin in different authorization strategies is
            <tt class="literal">org.jbpm.security.authorizer.Authorizer</tt>.</p>

        <p>In the package org.jbpm.security.authorizer there are some examples that show intentions
            of authorizer implementations. Most are not fully implemented and none of them are tested.</p>

        <p>Also still todo is the definition of a set of jBPM permissions and the verification of
            those permissions by the jBPM engine. An example could be verifying that the current authenticated
            user has sufficient privileges to end a task by calling
            <tt class="literal">Authorization.checkPermission(new TaskPermission("end", Long.toString(id)))</tt>
            in the TaskInstance.end() method.</p></div>
</div>
<div class="navfooter">
    <hr>
    <table width="100%" summary="Navigation footer">
        <tr>
            <td width="40%" align="left"><a accesskey="p" href="jpdl.html">Prev</a>&nbsp;</td>
            <td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td>
            <td width="40%" align="right">&nbsp;<a accesskey="n" href="tdd.html">Next</a></td>
        </tr>
        <tr>
            <td width="40%" align="left" valign="top">Chapter&nbsp;16.&nbsp;jBPM Process Definition Language (JPDL)&nbsp;</td>
            <td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td>
            <td width="40%" align="right" valign="top">&nbsp;Chapter&nbsp;18.&nbsp;TDD for workflow</td>
        </tr>
    </table>
</div>
</body>
</html>